Cybersecurity Radar — 2026-04-13

🔴 Critical Alerts

Marimo RCE Flaw CVE-2026-39987 Exploited Within 10 Hours of Disclosure A pre-authenticated remote code execution vulnerability in Marimo — an open-source Python notebook platform widely used for data science and analysis — was exploited in the wild within just 10 hours of public disclosure, according to Sysdig. The flaw (CVE-2026-39987, CVSS 9.3) affects all versions of Marimo prior to and including 0.20.4, enabling unauthenticated attackers to execute arbitrary code and steal credentials. All users of Marimo should immediately upgrade beyond version 0.20.4. The speed of exploitation highlights the severe risk of delay in patching publicly disclosed vulnerabilities.

VENOM Phishing-as-a-Service Platform Targeting C-Suite Executives Threat actors leveraging a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are actively targeting credentials of C-suite executives across multiple industries, according to BleepingComputer. The platform, first detected on April 9, 2026, industrializes spear-phishing by offering it as a managed service — lowering the technical bar for credential theft against high-value targets. Organizations should review email security controls, enforce phishing-resistant MFA for executive accounts, and brief leadership on targeted social engineering risks.

Threat Landscape

U.S. Public Sector Under Siege from AI-Accelerated Nation-State Attacks A new Q1 2026 Trend Micro threat intelligence report details how AI is simultaneously lowering the barrier to sophisticated attacks and expanding the attack surface through rapid adoption of AI-enabled government services. Nation-state actors have demonstrated the ability to penetrate the highest levels of government infrastructure. The report warns that the convergence of AI tooling and geopolitical motivation is accelerating attack tempo against federal, state, and local targets.

Stolen Credentials Fueling Combined Ransomware and Nation-State Operations SecurityWeek reports that stolen logins have become the common thread linking ransomware campaigns and nation-state intrusions. The financially motivated threat actor "Shai-Hulud" is noted for destructive behavior — including attempting to delete victim home directories when little data is found to harvest — blurring the line between criminal and geopolitical motivations. The trend reflects a broader collapse of the distinction between APT and cybercriminal TTPs, particularly as ransomware groups operate with tacit state approval.

Check Point: European Commission Confirmed Data Breach via Europa.eu Check Point Research's April 6 threat intelligence report confirms the European Commission suffered a data breach after its Europa.eu platform was compromised. The executive body of the European Union acknowledged the incident after attackers gained unauthorized access through the platform. Further technical details are pending full disclosure.

Vulnerabilities & Patches

CVE-2026-39987 — Marimo Python Notebook (CVSS 9.3, Actively Exploited) Pre-authenticated remote code execution flaw affecting all Marimo versions ≤ 0.20.4. Exploited within 10 hours of public disclosure, enabling unauthenticated RCE and credential theft. Action: Upgrade to the latest version immediately.

CVE-2026-35616 — Fortinet FortiClient EMS (CVSS 9.1, Actively Exploited) An authentication bypass/privilege escalation flaw in FortiClient EMS versions 7.4.5–7.4.6, exploited in the wild since at least March 31, 2026. Fortinet has issued emergency patches and hotfixes. This is the latest in a string of actively exploited Fortinet vulnerabilities. Action: Apply the emergency patch immediately; CISA has added this to its Known Exploited Vulnerabilities catalog.

BlueHammer — Unpatched Windows Local Privilege Escalation Zero-Day (No CVE/Patch Yet) A disgruntled researcher publicly leaked a proof-of-concept exploit for an unpatched Windows local privilege escalation (LPE) vulnerability dubbed "BlueHammer." The flaw combines a time-of-check to time-of-use (TOCTOU) vulnerability with path confusion, enabling attackers to gain SYSTEM or administrator rights. No Microsoft patch exists as of the time of reporting. Action: Monitor for Microsoft guidance and apply mitigations as they become available; restrict untrusted code execution on Windows endpoints.

Breaches & Incidents

European Commission Data Breach via Europa.eu Platform The European Commission confirmed a data breach after its Europa.eu platform was compromised. The incident was highlighted in Check Point Research's April 6 threat intelligence report covering the week of March 30. The scope of data exposed and attribution have not been fully disclosed. The breach underscores persistent targeting of high-profile government digital infrastructure.

66% of Global Organizations Breached at Least Once in the Past Year According to the 2026 Armis Cyberwarfare Report, 66% of global IT leaders report experiencing up to two breaches in the past year — an increase from the prior year — despite 79% claiming preparedness. The report highlights nation-state attacks now operating at machine speed, with Armis Labs issuing active warnings to organizations worldwide.

Industry & Policy

Trend Micro Raises Alarm on AI-Enabled Attack Surface Expansion in Government In a report published April 10, 2026, Trend Micro warns that rapid government adoption of AI-enabled services is inadvertently expanding the attack surface exploitable by nation-state actors. The research recommends agencies establish dedicated AI security governance frameworks alongside traditional cybersecurity controls.

Armis 2026 Cyberwarfare Report: Nation-State Attacks Now at Machine Speed Armis Labs published its 2026 Cyberwarfare Report, finding that nation-state offensive operations have accelerated to near-autonomous speed, enabled by AI and automation. The report notes a significant gap between perceived preparedness (79%) and actual breach experience (66%), urging organizations to move beyond self-assessment and adopt real-time asset intelligence.

Ransomware Slowdown Masks Deepening Nation-State Threat to Critical Infrastructure The Waterfall Threat Report 2026 notes a 25% decline in publicly recorded cyber breaches with physical consequences (57 incidents in 2025 vs. 76 in 2024), attributing this partly to temporary factors. However, analysts warn the decline masks a structural shift toward more covert, persistent nation-state operations against critical infrastructure that avoid public disclosure.

What to Watch

• BlueHammer Windows zero-day escalation: No patch currently exists for this publicly released LPE exploit. Watch for a Microsoft out-of-band patch release and expect opportunistic threat actors to begin integrating this exploit into attack chains imminently.
• VENOM PhaaS expansion: The newly surfaced phishing-as-a-service platform targeting executives is in early observed stages — anticipate broader industry targeting and potential infrastructure takedown attempts by law enforcement as visibility grows.
• AI-accelerated attack tempo against public sector: With Q1 2026 data confirming AI is enabling machine-speed nation-state intrusions, government contractors and agencies should expect continued high-frequency exploitation attempts through AI-assisted vulnerability discovery and spear-phishing automation.

Reader Action Items

1. Patch Marimo immediately (CVE-2026-39987): If your organization uses Marimo notebooks — particularly in data science or AI/ML pipelines — upgrade all instances beyond version 0.20.4 without delay. The 10-hour exploitation window leaves no time for phased rollouts.

2. Apply FortiClient EMS emergency hotfix (CVE-2026-35616): If running FortiClient EMS versions 7.4.5 or 7.4.6, apply Fortinet's emergency patch immediately. Treat any unexplained privilege changes on FortiClient-managed endpoints as potential indicators of compromise and conduct retrospective log review from March 31 onward.

3. Harden executive accounts against VENOM PhaaS: Enforce phishing-resistant MFA (FIDO2/hardware keys) on all C-suite and privileged accounts, conduct targeted awareness briefings on executive spear-phishing, and review email gateway configurations for newly registered or lookalike domains targeting your organization's leadership.